Bitcoin Forum
December 04, 2016, 02:34:52 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: [FORBES] How Private Are Bitcoin Transactions?  (Read 3268 times)
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 16, 2011, 05:42:08 AM
 #21

I always thought that self-signed certs were as secure just could not be verified by trusted CAs which would trigger unsigned cert message in browsers other than that they should be functioning same as signed ones or am I misunderstanding?
The problem is that your browser trusts a lot of signing authorities. Many will let you a buy a certificate that in turn lets you sign your own certificates. That means if your attacker has money, they can easily impersonate any website they want by signing a certificate in their name. Source: Certificate Patrol Website

Edit: You also need to be a company with over 5 million in assets, 5 Million in insurance and has clear audited policies on how you use the certificates. For the GeoTrust root anyway.
Quote
I've heard that there was some sort of venerability with OpenSSL certs, but other than that are signed certs by well known organizations safe? I mean could a middle man such as an ISP intercept handshake and public keys and eavesdrop inside secure channel passing packets or is it impossible?

I only started caring about ubiquitous encryption over the past 3 months or so. I am dismayed how prudent sending everything is clear-text really appears to be: HTTPS can easily give a false sense of security. I have not had time to tease out a list of best practices. My own website does not support HTTPS at the moment.

Edit: I have an interest in the gopher protocol. I may investigate using IPSec for encryption or authentication. I currently care more about authentication. Authentication can never be automated and easy: That is the situation we have with Certificate authorities. Users need to exchange information out-of-band: over the phone, in person, or by letter mail.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
1480862092
Hero Member
*
Offline Offline

Posts: 1480862092

View Profile Personal Message (Offline)

Ignore
1480862092
Reply with quote  #2

1480862092
Report to moderator
1480862092
Hero Member
*
Offline Offline

Posts: 1480862092

View Profile Personal Message (Offline)

Ignore
1480862092
Reply with quote  #2

1480862092
Report to moderator
1480862092
Hero Member
*
Offline Offline

Posts: 1480862092

View Profile Personal Message (Offline)

Ignore
1480862092
Reply with quote  #2

1480862092
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480862092
Hero Member
*
Offline Offline

Posts: 1480862092

View Profile Personal Message (Offline)

Ignore
1480862092
Reply with quote  #2

1480862092
Report to moderator
1480862092
Hero Member
*
Offline Offline

Posts: 1480862092

View Profile Personal Message (Offline)

Ignore
1480862092
Reply with quote  #2

1480862092
Report to moderator
1480862092
Hero Member
*
Offline Offline

Posts: 1480862092

View Profile Personal Message (Offline)

Ignore
1480862092
Reply with quote  #2

1480862092
Report to moderator
lettucebee
Sr. Member
****
Offline Offline

Activity: 253



View Profile
July 16, 2011, 09:27:07 AM
 #22

When making an outgoing payment, pick a selection of addresses whose balances add up to only slightly more than the sum you wish to pay. Pool those into a new address (with a little left-over in one of the original accounts), and send the whole payment from that new address.

I don't fully understand what is being said here.  How did I end up with a selection of addresses whose balances add up to only slightly more than the sum I wish to pay?  Do I need to spend time sending and receiving to myself to have these?  Also, I thought the client chooses randomly across addresses which ones take the hit for an outgoing payment (true?).  If yes, how do I control which addresses take the hit?
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 16, 2011, 12:04:01 PM
 #23

the whole https thing seems silly to me. who thought it was a good idea to combine https with verifying who you are talking to is who you are talking to. it makes doing this more difficult for less technically inclined people to think that who they are talking to is automatically bad. I believe these 2 things should be completely separate so we don't have to buy certs from some moron who thinks they have more trust than someone else.

phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 16, 2011, 05:54:50 PM
 #24

HTTPS includes authentication, because without it man-in-the-middle attacks are trivial.

Encryption isn't magic security pixie dust. Without authentication, the attacker can simply set up two encrypted sessions: one to the user, and one to the server being impersonated.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 16, 2011, 06:06:54 PM
 #25

HTTPS includes authentication, because without it man-in-the-middle attacks are trivial.

Encryption isn't magic security pixie dust. Without authentication, the attacker can simply set up two encrypted sessions: one to the user, and one to the server being impersonated.

But.... but.... http://www.youtube.com/watch?v=3nbEeU2dRBg !!!

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 16, 2011, 07:04:47 PM
 #26

i like, i want some.

Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
July 16, 2011, 07:31:46 PM
 #27

I always thought that self-signed certs were as secure just could not be verified by trusted CAs which would trigger unsigned cert message in browsers other than that they should be functioning same as signed ones or am I misunderstanding?
The problem is that your browser trusts a lot of signing authorities. Many will let you a buy a certificate that in turn lets you sign your own certificates. That means if your attacker has money, they can easily impersonate any website they want by signing a certificate in their name. Source: Certificate Patrol Website

Edit: You also need to be a company with over 5 million in assets, 5 Million in insurance and has clear audited policies on how you use the certificates. For the GeoTrust root anyway.


With unsigned certificates my question isn't concerning trust unless security is totally depend on 3rd party trusted authorities. So the question is: is unsigned certificate provides same level of security as a signed one?  Whether browser trusts it or not doesn't matter as long as unsigned cert provides same safe encrypted channel for transmitting data.
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 16, 2011, 07:40:32 PM
 #28

With unsigned certificates my question isn't concerning trust unless security is totally depend on 3rd party trusted authorities. So the question is: is unsigned certificate provides same level of security as a signed one?  Whether browser trusts it or not doesn't matter as long as unsigned cert provides same safe encrypted channel for transmitting data.

Yes, as long as you can be sure that the certificate actually belongs to the site that you think it does. But if the certificate is self-signed then you have to figure this out for yourself. Most people do not have the technical expertise (or the patience!) to do this.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 16, 2011, 07:58:28 PM
 #29

how can you be sure that your browser was not involved in a man in the middle attack and that its certs were not tampered with. the only way you can know 100% sure the person you talk with on the internet is if you exchange keys in person.

joulesbeef
Sr. Member
****
Offline Offline

Activity: 476


moOo


View Profile
July 16, 2011, 08:10:08 PM
 #30

I'm not sure I understand the article completely.

Dont people tend to use multiple addys? I know it seems to be a noob mistake to think that your old addys are no good as it changes right after you receive some coin.

and how can you link someones receive addresses with their send ones?

or is he just saying, if you collect your poker winnings with one address dont use that same address in your forum sigs?

if people only used one address for their questionable activity and then one for everything else, what else would the authories know besides money is traveling between a known illegal addy like silk road and and an address that a user only uses for that purpose? 

I guess their are links between addies and IPs?

mooo for rent
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 16, 2011, 08:13:21 PM
 #31

I'm not sure I understand the article completely.

Dont people tend to use multiple addys? I know it seems to be a noob mistake to think that your old addys are no good as it changes right after you receive some coin.

and how can you link someones receive addresses with their send ones?

or is he just saying, if you collect your poker winnings with one address dont use that same address in your forum sigs?

if people only used one address for their questionable activity and then one for everything else, what else would the authories know besides money is traveling between a known illegal addy like silk road and and an address that a user only uses for that purpose? 

I guess their are links between addies and IPs?


You could get a new "identity" by dumping all your coins in a laundering service and killing all your old addresses. if you needed you could use tor for all BC related stuffs.

lettucebee
Sr. Member
****
Offline Offline

Activity: 253



View Profile
July 16, 2011, 08:29:40 PM
 #32

You could get a new "identity" by dumping all your coins in a laundering service...

That's not entirely true, right? If you have a large sum of money you could overwhelm the launderer and end up receiving some of your own coins back. Even ONE would be enough to trip you up.
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 16, 2011, 08:33:58 PM
 #33

You could get a new "identity" by dumping all your coins in a laundering service...

That's not entirely true, right? If you have a large sum of money you could overwhelm the launderer and end up receiving some of your own coins back. Even ONE would be enough to trip you up.

http://xuie7qspblyer5ms.onion/

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!